In the U.S., health care providers and medical research companies are required to protect personally identifiable information (PII) and electronic health information (EHR/EMR) under the compliance guidelines issued by the Health Insurance Portability and Accountability Act (HIPAA). Alternatively, the researchers at SonarSource, a security solutions company, discovered four vulnerabilities, in the backend code of one such medical management solution provider, Open EMR, which could have potentially allowed threat actors remote access into the health records of thousands of its users.
OpenEMR is an open-source medical services and patient management software designed specifically for health care organizations. Since it is an open-source, and a free application, it has a wider user base in the country. However, its popularity and reputation would have been marred if threat actors had found four types of critical vulnerabilities in the OpenEMR code before the researchers at SonarSource. All these noted vulnerabilities affected servers using the Patient Portal component.
The four OpenEMR vulnerabilities were:
- Command injection
- Persistent Cross-site scripting (XSS)
- Insecure API permissions
- SQL injection
The Patient Portal of OpenEMR provides patients options to perform various manual tasks online, such as communication with doctors, filling new patient registration forms, taking appointments, viewing lab test results, making payments, and requesting prescription (Rx) refills. However, SonarSource researchers found that if the Patient Portal is enabled for a certain provider or location and accessible from the internet, an attacker could gain remote control of the OpenEMR server through a combination of these vulnerabilities.
The Deadly Combination
As per SonarSource’s blog,
The Patient Portal has its own API interface, which can be used to control all portal actions. Using this API requires authentication, but the researchers found a way to bypass it, allowing them to access and make changes to patient data, or to change information associated with backend users, such as administrators.
An attacker who is able to change administrator account data can exploit the persistent XSS vulnerability to inject malicious code that would get executed when the targeted admin logs in to their account.
Alternatively, if the attacker targets a user with lower privileges rather than an administrator, they can exploit the SQL injection vulnerability to gain access to the patient database and steal potentially valuable data.
Exploitation of the XSS and command injection flaws requires admin privileges, but the SQL injection bug can be exploited with regular user privileges.
SonarSource responsibly reported these vulnerabilities in OpenEMR v22.214.171.124 to its operators, which then rushed and patched in a subsequent release of v126.96.36.199 in August. OpenEMR did not give a public notification about the vulnerability earlier as they wanted to give its users ample time to install the update patch.